On Wed, 13 Aug 2014, lcon...@go2france.com wrote: > fbsd 8.2 VM with BIND 9.9.5 > > fbsd 10.0-RELEASE VM with BIND 9.10.0-P2 > > the older machine had uptime of 400+ days, the new machine only a couple weeks > > 24 hour query logging shows several million queries/day > > At about the same time last night, both stopped answering queries until > rebooted. > > before reboot, > > load of about 1 (we see elevated load alerts with ssh brute force attacks) > > memory not swapping, plenty of free MBs. > > nothing in syslog, > > no sign of ssh brute force, ssh worked > > rndc status showed ok > > sockstat -4 showed bind listening on :53
This part doesn't sound right. sockstat should show the local IP (or host) and the :53 port for the the local bound end of the socket for all the interfaces as allowed by listen-on. The sockstat output shouldn't be just :53 nor *:53 for example. So maybe it wasn't listening to the interfaces that you expected since below you suggest that the loopback one did work. Maybe something temporarily happened during the interface-interval scan and it detected that some interface went away? Do your logs have anything like "no longer listening on 192.168.99.99#53"? I wonder if "rndc scan" would have helped in that case to re-detect it before next interface-interval. > all DNS queries from outside the machines timed out > > ssh shell command: > > "dig @127.0.0.1 domain.tld any" answered normally > > What other forensics could have been checked? _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
